Created this dashboard to see when or if an application was deployed successfully. Close to splunkninja’s query, this will also show if the host in question also restarted to apply the new app.
<form>
<label>Deployed Applications</label>
<fieldset submitButton="false">
<input type="checkbox" token="loglevelpicker" searchWhenChanged="true">
<label>Log Level</label>
<choice value="INFO">INFO</choice>
<choice value="WARN*">WARNING</choice>
<choice value="ERROR">ERROR</choice>
<default>INFO,WARN*,ERROR</default>
<valuePrefix>log_level=</valuePrefix>
<delimiter> OR </delimiter>
</input>
<input type="time" token="field1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="multiselect" token="hostpicker">
<label>Host</label>
<choice value="*">All</choice>
<default>*</default>
<valuePrefix>host=</valuePrefix>
<delimiter> OR </delimiter>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<search>
<query>index=_internal sourcetype=splunkd component=DeployedApplication
| stats count by host</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
</input>
<input type="multiselect" token="apppicker" searchWhenChanged="true">
<label>Application</label>
<choice value="*">All</choice>
<valuePrefix>*</valuePrefix>
<valueSuffix>*</valueSuffix>
<delimiter> OR </delimiter>
<fieldForLabel>applicationx</fieldForLabel>
<fieldForValue>applicationx</fieldForValue>
<search>
<query>index=_internal sourcetype=splunkd component=DeployedApplication
| rex field=file "var(\/|\\\\)run(\/|\\\\)\w+(\/|\\\\)(?<app2>\w+)-"
| rex field=message "(etc|run)(\/|\\\\)(apps|\w+)(\/|\\\\)(?<app3>\w+)-\d+\.bundle"
| rex field=message "etc(\/|\\\\)apps(\/|\\\\)(?<app5>[^\/|\\\\|']+)"
| eval applicationx=coalesce(app,app2,app3,app5,application)
| stats count by applicationx
| fields - count</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal sourcetype=splunkd component=DeployedApplication $loglevelpicker$ $hostpicker$ $apppicker$
| table _time host app log_level event_message
| sort - _time</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">50</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
<row>
<panel>
<title>Last restart time</title>
<event>
<search>
<query>index=_internal sourcetype=splunkd log_level=INFO $hostpicker$ component=loader event_message="Splunkd starting*"</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">50</option>
<option name="list.drilldown">none</option>
<option name="list.wrap">1</option>
<option name="maxLines">0</option>
<option name="raw.drilldown">full</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.sortDirection">asc</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
</event>
</panel>
</row>
</form>
Like it a lot, but quick question. There are duplicated applications in the app picker, with a ‘.’ at the end of one. eg.
Splunk_TA_windows
Splunk_TA_windows.
This seems to be the default results when just looking at the ‘app’ field after running the basic query index=_internal sourcetype=splunkd component=DeployedApplication
Can these be excluded from the search or are they needed app!=”*.” ? They do show slightly different results/percentages int he app field.
Yeah, I didn’t try to exclude them, as they gave slightly different results than the apps w/out the “.”. Let me know how it works for you if you exclude them.
Hmm, I am not getting ‘Host’ or “Application’ to populate.